Solved

Firewall & ICQ

Posted on 1998-04-07
4
493 Views
Last Modified: 2013-12-23
Bastion host: FreeBSD & firewall(ipfw)
Q: How describe ICQ-ports in ipfw config for internet (w/external world) chat without ICQ server on bastion)
0
Comment
Question by:korzadze
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 1

Expert Comment

by:mzito
ID: 1583235
On the client side, in ICQ, go into the Connections tab in the Preferences folder and select "Permanent LAN" and "I'm behind a proxy server/firewall." Then click on "Firewall Settings" and set ICQ to use a range of tcp ports (you set them, but it should be no fewer than 11 ports, like 3600 to 3610). Finally, reconnect to the ICQ network to apply the new settings.

Then, using ipfw, poke a hole in the firewall for that given range of tcp ports.  I haven't used ipfw in a while, so I can't remember the exact syntax, but check the man pages for the forwarding syntax.

One more thing: you have to set up each client with a separate range of tcp ports  (i.e. Client #1 has ports 3600-3615, client #2 has ports 3616-3631, etc.). Then just poke the hole in the firewall for the whole range of ports.  Hope this answers your question.

Best Wishes,
Matthew Zito
0
 

Author Comment

by:korzadze
ID: 1583236
Sorry, but i don't know how describe establish connect for ICQ in terms ipwf, ie. establish, setup ... and protocols TCP, UDP or so. (novice in deal with Unix :-( )

From man on ipfw:
         established       Matches packets that have the RST or ACK bits set.
                                    TCP packets only.
         setup                 Matches packets that have the SYN bit set but no
                                    ACK bit.  TCP packets only.
0
 
LVL 1

Accepted Solution

by:
mzito earned 100 total points
ID: 1583237
Oh, okay.  That's easy enough.  The simplest solution to your question is to not specify established or setup connections.  Here's the command line for what you're looking for  (I dragged out my old FreeBSD handbook):

       ipfw add allow ip from any to AAA.BBB.CCC.0/24 DDDD-EEEE
 
Where AAA.BBB.CCC.0/24 is your class C network
DDDD is the start port that you put into ICQ
EEEE is the final port you put into ICQ
The DDDD-EEEE port range should ideally be for all clients. (i.e. in the aforementioned example if Client #1 has 3000-3020, client #2 has 3021-3040, and client #3 has  3041-3060, your DDDD-EEEE would be 3000-3060.) That way, it's only one rule set  your kernel has to match against. The other w ay would be to add an entry for each client.  That syntax would be as follows:

ipfwadm add allow ip from any to AAA.BBB.CCC.FFF/32 DDDD-EEEE
In this case, AAA.BBB.CCC.FFF is a single ip address, which is why it is suffixed with /32.  I would reccommend a single rule, though, matching all clients.  That way, the kernel will only match the one rule instead of one rule for each client.  Hope this answered your question more thoroughly
0
 

Expert Comment

by:mseiden
ID: 1583238
icq has both a proprietary protocol and proprietary code you
run on your desktop.  that protocol can be manipulated to install a back door on your machine.  for one example, see http://members.tripod.com/~hakz/ICQ/index.html, which claims
one such back door has been written capable of executing arbitrary commands on your desktop machine.

there have been a number of data-driven attacks on icq posted to various bug reporting lists.  i recommend to my clients that
icq not be allowed through firewalls until the protocol is
published and proxies are written that can handle it.
0

Featured Post

Will your db performance match your db growth?

In Percona’s white paper “Performance at Scale: Keeping Your Database on Its Toes,” we take a high-level approach to what you need to think about when planning for database scalability.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Suggested Courses
Course of the Month10 days, 9 hours left to enroll

631 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question